I am designing an application (let's call it a TodoList app) based on VueJs (for the UI) + NodeJs (for the backend, which will run in Google Cloud Platform) + Firestore (for the auth + database).
I have wandered through the huge documentation of Google (sometimes redundant!) to achieve something that should work but I am not sure it's production-proof.
Situation:
- A user has signed-in on my VueJs app thanks to the password-based authentication of Firebase (and the user's credentials, including his accessToken, are stored in my Vuex store).
- The Firebase Admin SDK is running on my backend.
- My VueJs app is requesting my backend.
- The backend verifies the accessToken sent in the client-side request
- It is my backend that request my Firestore database thanks to the Admin SDK
I have set some security rules on my Firestore database:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId}/{document=**} {
allow read, write: if request.auth.uid == userId;
}
}
}
so that I don't want any logged users to access data from another user.
Question:
As the Firebase Admin SDK has full privilege on my Firestore database, how can I make sure there won't be any security issues. For now, I am just verifying the accessToken sent in the request to my backend, but ... something makes me feel wrong with this!
Code:
On client-side:
auth.onAuthStateChanged((user) => {
if (user) {
// Save the user credentials
}
}
On server-side:
// idToken comes from the client app (shown above)
// ...
admin.auth().verifyIdToken(idToken)
.then(function(decodedToken) {
var uid = decodedToken.uid;
// Retrieve or add some data in /users/{userId}/{document=**}
}).catch(function(error) {
// Handle error
});
As you can see, once I validate the accessToken and retrieve the uid, I can do anything on my database.
References
Thanks for your help!
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…